[Zope3-Users] Re: Denying permissions for 'everybody' - which principals to use?

[Jeff Shell]

Nobody knows? I'm bouncing this up to see if anyone has any input yet.
I had some other projects come up that put this on hold for a bit, but
just now looking at the code I realized I still need help. And before
I go through the joys of experimentation this weekend or early next
week with all of the combinations I ask here, I thought I'd float this
by again. The summary of what I say below is: I don't know how to
programatically deny zope.View to everybody. The implementation I
currently have challenges the visitor but then still allows access to
the object in question even if the HTTP auth challenge box is canceled
out of.


On 11/16/05, Jeff Shell <eucci.group at gmail.com> wrote:
> For a simple content management system we're building, I've started
> working on a simple security interface which is supposed to enable /
> disable 'view' (and dublin core view). The setup that I have - or want
> to have - is a UI that says:
>
> Who can see this item?
>
> - Everybody
> - Nobody (grants view to zope.Manager and our.cms.ContentEditor roles
> only, for now)
> - Specific Users
>
> If 'specific users' is selected, users from the local principal folder
> are listed for selection.
>
> I seem to have my implementation working somewhat - I can go to the
> normal Grant screen and see specific users have 'Allow' checked for
> the view permissions managed by my sharing view. And 'zope.anybody' is
> denied:
>
> >>> pprint(settingsForObject(jobs))
> [(u'jobs',
>   {'principalPermissions': [{'permission': 'zope.View',
>                              'principal': u'brcmscms.user2',
>                              'setting': PermissionSetting: Allow},
>                             {'permission': 'zope.View',
>                              'principal': 'zope.anybody',
>                              'setting': PermissionSetting: Deny},
>                             {'permission': 'zope.app.dublincore.view',
>                              'principal': u'brcmscms.user2',
>                              'setting': PermissionSetting: Allow},
>                             {'permission': 'zope.app.dublincore.view',
>                              'principal': 'zope.anybody',
>                              'setting': PermissionSetting: Deny}],
>    'principalRoles': [],
>    'rolePermissions': []}),
>   ...
>
> When I traverse to the object in question in another browser, I get
> prompted for login. But if I supply different credentials (ie, one of
> the users not Allowed explicit view privileges), I'll still see the
> page.
>
> Am I denying the right person here? Globally, the permission is set up
> as follows:
>
>                        {'permission': 'zope.View',
>                         'role': 'zope.Anonymous',
>                         'setting': PermissionSetting: Allow},
>
> Should I Deny access to the zope.Anonymous role? To the Everybody
> group? To the Unauthenticated Group? Right now, I only deny the
> principal:
>
>     def denyUnauthenticated(self):
>         """ Explicitly deny the view permissions for unauthenticated users. """
>         anybody = zapi.getUtility(IUnauthenticatedPrincipal).id
>         pmanager = IPrincipalPermissionManager(self.context)
>         for permission in self._view_permissions:
>             pmanager.denyPermissionToPrincipal(permission, anybody)
>
> This is in Zope 3.1.0 on Python 2.3.5
>
> The point of this simple 'sharing' interface is to let our customer
> have a press folder that they can restrict access to by allowing only
> limited people in to it. We're trying to keep the user interface as
> simple as possible.
>